Not for the first time, a Black Hat presentation ended with a compromised ATM spewing cash on stage. This time, the cash was phony, but it certainly made a point. As ATMs have become ubiquitous, so too have attacks that turn these automated tellers into robotic thieves. At the 2016 Black Hat conference, Rapid7's Senior Pentester Weton Hecker showed off ways to defeat even the newest ATMs.

ATM attacks are nothing new, especially not at Black Hat where Barnaby Jack's work is perhaps best known. Scammers have been placing skimmer devices over ATM card readers for years. These fit over the standard ATM card reader, and "skim" your information as you swipe your debit card. More advanced skimmers come with number pads that fit over the standard ATM keypad and thus capture your PIN. However, you could accomplish the same feat with a cleverly mounted camera. Or, better yet, simply use the card data at an online retailer. "Shims," or malicious card readers placed inside, instead of over, the ATM's card reader, are much harder to spot.

It's for this reason that security experts, and PCMag, have long advised people to carefully inspect ATMs before withdrawing money. Wiggling the card reader, or trying to pry up the PIN pad, can usually determine whether the machine has been tampered with and a data-stealing skimmer added.

"Right now, they're going for the low-hanging fruit, which is magstripe data" said Hecker, speaking to what hackers try to steal from ATMs. But Hecker believes that scammers will soon start going after EMV cards--that is, cards with embedded chips. These have been around for decades and are generally considered more secure than older magstripe cards, but have only recently come to the US. After 400 hours of research and reading 1,400-page manuals, Hecker not only has a new attack but a vision for how the bad guys may operate in the future.

La CaraThe physical portion of Hecker's attack is "La Cara," a piece of plastic fascia surrounding modified cellphone hacking tools, an Arduino, an EMV card, and several servo motors. La Cara is fitted into the front of the ATM, over the card slot and PIN pad.

Once in place, La Cara receives captured EMV and PIN data and then, using its motors and EMV card, enters the information into the ATM. The ATM in turn, spits out money. At his Black Hat presentation, Hecker continued to take questions as La Cara spewed very realistic cash. A gathered crowd soon realized that it was phony bills.

What makes Hecker's attack unique isn't La Cara. The machine is just a faster, more reliable way to get money from target ATMs. It's what's going on behind the scenes that makes his resarch so remarkable.The attack requires several ATMs or point-of-sale devices. Some are fitted with various shimming and skimming devices in order to capture user data. He suggested that gas stations would make an excellent target, since gas pump card readers are left unattended for hours at a time.

To capture the PIN, Hecker dismissed a number of options such as cameras, skimmer overlays, and automatically removing the PIN which is sometimes expressed in plaintext on ATMs. Instead, he attacked the radar systems which have begun appearing in newer ATMs. These are designed to detect if a foreign object has been attached or inserted into the ATM. Hecker took such an ATM and sprinkled its PIN pad with iron shavings. Then, he watched how the radar data eminating from the machine changed as keys were pressed. This allowed him to quickly and easily capture PINs, without having to attach anything to the ATM.

When a victims enter their information into these malicious ATMs and POSs, their information and all the stages of a legitimate EMV transaction are captured and sent over the Internet through a VPN tunnel to a payout ATM fitted with a La Cara device. "This is not cloning cards," said Hecker. "It is relaying it."

A New MarketplaceThe steps between capturing victim data and cashing out with La Cara are the most interesting. Hecker proposed that in the future, scammers won't just sell captured credit card data on Dark Web sites as they do now. Instead, he said that they'll purchase a VPN tunnel onto a fraud network.

The scammers log into the site, rent or build their La Cara system, and then purchase a block of time from the fraud network. They then select their payout machine, place the La Cara, and wait for their block of time. When it comes up, the La Cara receives the real-time captured data and the target ATM starts to pay out. The scammers with the La Cara get the cash and the managers of the fraud network get paid. It would be a whole new ecosystem.

Hecker described how, through his research, he found and demonstrated that such a system was entirely possible. It would also be smart. It could differentiate, for example, between cards that are keyed to only be used for certain purchases, like gas cards. The system could also determine the bank of origin, and thus make an accurate guess about the ATM limit for that particular victim.

Hecker believes this could lead to massive payouts, depending on what bills are available in the ATM, of course. To that point, his research found several ATMs that stock $100 bills. "In Dubai, there are ones that dispense gold," he said. He estimated a payout of $20,000 to $50,000 within 15 minutes with this system.

The Bad FutureFortunately, such a complex fraud network does not exist, although after hearing Hecker's research it certainly seems possible. Considering that a single researcher could build an entire banking network back end in order to demonstrate his work, who knows what the highly organized and industrial professional scammers could do.

Like many researchers at Black Hat, Hecker called for banks and security companies to take his concerns seriously. "It would be nice to have preemptive work," he said. But unlike other presenters, Hecker was visibly nervous about his own work. Companies, he said, needed more time to fix the problems he'd uncovered. Which is why he hadn't let the ATM he purchased for his research out of his sight, lest someone try to make his nightmare scenario a reality. "Even leaving it unattended in my hotel room made me uncomfortable."

About the Author

Max Eddy is a Software Analyst, taking a critical eye to Android apps and security services. He's also PCMag's foremost authority on weather stations and digital scrapbooking software. When not polishing his tinfoil hat or plumbing the depths of the Dark Web, he can be found working to discern the 100 Best Android Apps.
Prior to PCMag, Max wrote... See Full Bio

Get Our Best Stories!

This newsletter may contain advertising, deals, or affiliate links. Subscribing to a newsletter indicates your consent to our Terms of Use and Privacy Policy. You may unsubscribe from the newsletters at any time.